21 June 2013: Press reports this week have thrown up questions about the impact of the Data Protection Act 1998, and whether it is necessary to redact published documents to remove employee information such as names, unless consent has been given first by the people named.
Press reports have suggested that the answer is simple, but the Information Commissioner’s guidance is not particularly straightforward.
Schedule 2 of the Act states that data can be processed if:
1. The data subject has given his consent to the processing.
2. The processing is necessary for the performance of the contract (ie the employment contract with the person in question); or
3. The processing is necessary for compliance with any legal obligation;
4. The processing is necessary in order to protect the vital interests of the person in question; or
5. for other reasons including the administration of justice.
The Information Commissioner has produced guidance as to when data can be disclosed, which can be found at Information Commissioner website. However that Guidance does not appear to directly address the question.
It would certainly be good practice to get the person’s express permission before naming them in the document if it is critical of them, and or to give them the right to respond to any allegations first. However that is not the end of the matter. There might be a fine balancing act to strike though, between factors including the need to comply with legal obligations, the administration of justice, the public interest, and whether information was given in confidence, and the consequence of disclosing the information on the person involved.
If in any doubt, call the Information Commissioner’s hotline 0303 123 1113. Especially if staff may have to be held publicly accountable, prepare a suitable Data Protection Policy addressing the issue and circulate it to staff first.